Penetration Testing mailing list archives
Re: Hosted Solutions -- Hackers Haven
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Thu, 15 Oct 2009 18:33:03 -0400
Hi Roman, My comments are embedded below. On Oct 15, 2009, at 7:11 AM, Roman Medina-Heigl Hernandez wrote:
Shared hosting will always be far more insecure than a dedicated one, as you are suggesting (tons of websites in the same server multiply the riskof security compromise).
Dedicated hosts are at risk too.
But you're mixing concepts: "hosted" usually means "outsourced" but not necessarily "shared" (for instance, you could also hire a dedicated server,managed or not, and "host" your application there). You're refering to shared environments, I guess.
Hosted to me means anything that is hosted by a third party. Dedicated,shared, or even virtual doesn't matter. The only thing that changes is the
penetration methodology.Our team has tested a wide range of hosting providers. In all cases we were able perform distributed metastasis and slip from client, to provider, to
other clients.The primary issue is the fact that most of these providers have some form of centralized client control. Take that control center, you take the clients.
In many cases clients can give you access to the control center, in some cases they don't. When that happens you need to go for the throat and take the provider.Another way to think about it is like this. If I'm a black hat why would I
bother taking one company at a time when I could just take a hosting provider and pwn 1000 at a time?
Outsourcing has other risks/problems. Cheers, -Román Adriel T. Desautels escribió:Hi List. This is a subject that seems to come up a lot when we deliver penetration testing services to our customers. I decided that a quickblog entry on the subject of hosting might be a good idea. I'm notadverse to hosting, but I'd like people to think twice before deciding to outsource their technology to a third party. Specifically, I'd like to see people consider the real risks that they might be introducing totheir business. As usual, if there are any comments I'd love to hear them. http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html Human beings are lazy by nature. If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easysolution. The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more moneyin damages then what might be saved by using the easy solution.The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear. When you outsource criticalinfrastructure components you save money. The savings are quicklyrealized because you no longer need to spend money running a full scaleIT operation. In many cases, you don’t even need to worry about purchasing hardware, software, or even hiring IT staff to support the infrastructure.What isn’t clear to most people is the serious risk that outsourcing can introduce to their business. In nearly all cases a business will have aradically lower risk and exposure profile if they keep everythingin-house. This is true because of the substantial attack surface thathosting providers have when compared to in-house IT environments.For example, a web-hosting provider might host 1,000 websites across 50physical servers. If one of those websites contains a singlevulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server. At that point thehacker will have successfully compromised and taken control of all 50 websites with a single attack. In non-hosted environments there might be only one Internet facingwebsite as opposed to the 1000 that exist in a hosted environment. As such the attack surface for this example would be 1000 times greater ina hosted environment than it is in a non-hosted environment. In a hosted environment the risks that other customers introduce to theinfrastructure also become your risk. In a non-hosted environment youare only impacted by your own risks. To make matters worse, many people assume that such a risk isn’t significant because they do not use their hosted systems for anycritical transactions. They fail to consider the fact that the hacker can modify the contents of the compromised system. These modificationscan involve redirecting online banking portal links, credit card formposting links, or even to spread infectious malware. While this is true for any compromised system, the chances of suffering a compromise in ahosted environment are much greater than in a non-hosted environment. Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certs requirea full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 13)
- Re: Hosted Solutions -- Hackers Haven Roman Medina-Heigl Hernandez (Oct 15)
- Re: Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 19)
- Re: Hosted Solutions -- Hackers Haven yaroslav (Oct 15)
- Re: Hosted Solutions -- Hackers Haven Adriel T. Desautels (Oct 19)
- Re: Hosted Solutions -- Hackers Haven Gleb Paharenko (Oct 19)
- Re: Hosted Solutions -- Hackers Haven Roman Medina-Heigl Hernandez (Oct 15)